Encrypting string for querystring
|
Logged in as: Guest
|
Login  | |
|
Encrypting string for querystring - 2/24/2009 2:39:54 PM
|
|
|
dillerk
Posts: 5
Joined: 2/24/2009
Status: offline
|
I am trying to encrypt a string to pass as a querystring and to use to confirm a users account upon creating an account on my web app. (ASP.NET C#) My idea is as follows, please correct me if this is not common practice:
1) User fills out form and clicks submit
a) generate a uniqe identifier by encrypting a string
b) store in database as temporary until confirmed
c) send email with link in the form of http://mydomain/confirm.aspx?cid=<encryptedstringidentifier>
2) User clicks link in email
a)Database is updated when finding matching <encryptedstringidentifier> indatabase of unconfirmed accounts
The problem:
When i encrypt teh string i get some characters taht cant be in a querystring, i dont think you can use "/" "=" and so on in querystrings. I want a result that has only alpha numeric characters. Is this possible?
I forgot to add that i still get error for not having fulltrust capabilities. I used the code suggested in the other forum but it did not work.
< Message edited by dillerk -- 2/24/2009 7:57:46 PM >
|
|
|
|
|
RE: Encrypting string for querystring - 2/26/2009 6:59:48 AM
|
|
|
Maxx
Posts: 287
Joined: 3/22/2004
Status: offline
|
I'll post an example for you when I get into the office, but I believe we used Server.UrlEncode and Server.UrlDecode.
_____________________________
Director of CDI Support
|
|
|
|
|
RE: Encrypting string for querystring - 2/26/2009 9:43:39 AM
|
|
|
Maxx
Posts: 287
Joined: 3/22/2004
Status: offline
|
Yes that is exactly how we encoded an encrypted string to go into a URL.
Dim s as String
s = String.Concat("/default.aspx?sid=", Server.Urlencode(ezc.Encrypt(UserId))
To get the id back out, note we did no use UrlDecode.
s = ezc.Decrypt(Request.QueryString("sid"))
_____________________________
Director of CDI Support
|
|
|
|
|
RE: Encrypting string for querystring - 3/16/2009 9:08:08 PM
|
|
|
dillerk
Posts: 5
Joined: 2/24/2009
Status: offline
|
I'm still getting:
System.Security.SecurityException: That assembly does not allow partially trusted callers.
Code:
...
NamedPermissionSet nset = new NamedPermissionSet("FullTrust", System.Security.Permissions.PermissionState.Unrestricted);
nset.Assert();
ezCrypto CryptComp = new ezCrypto(AlgorithmTypes.TripleDES);
string key = Server.UrlEncode(CryptComp.Encrypt(Session.SessionID, "AbCdEfGhIjKlMN69"));
...
Any ideas? No idea if the urlencode works until this is resolved
|
|
|
|
|
RE: Encrypting string for querystring - 3/17/2009 9:04:30 AM
|
|
|
Maxx
Posts: 287
Joined: 3/22/2004
Status: offline
|
The code above is working for us, the only difference is we create the instance of ezCrypto outside of the NamedPermissionSet.
Try moving the ezCrypto cryptComp = new ezCrypto(...) above the line where you instantiate nset.
< Message edited by Maxx -- 3/17/2009 9:09:41 AM >
_____________________________
Director of CDI Support
|
|
|
|
|
RE: Encrypting string for querystring - 3/17/2009 2:07:03 PM
|
|
|
dillerk
Posts: 5
Joined: 2/24/2009
Status: offline
|
still the same outcome. I think GoDaddy hates me. I googled a bit and others have the same issue with them. Any other ideas on how to get around it?
|
|
|
|
|
RE: Encrypting string for querystring - 3/17/2009 3:18:53 PM
|
|
|
Maxx
Posts: 287
Joined: 3/22/2004
Status: offline
|
Wow. Looks like GoDaddy has a lot of restrictions for their website hosting.
The only solution is to modify the ezCrypto source code to use the AllowPartiallyTrustedCallersAttribute. This would have to happen here and we'd have to send you an updated .DLL. I can do this for you if you'd like, but, I'd like to point out - setting this option in the compile of the library will open it up to security issues from potentional outside forces. It kind of defeats the purpose of an encyption component when the encyption can be broken because of trust issues.
It's your call.
_____________________________
Director of CDI Support
|
|
|
|
|
RE: Encrypting string for querystring - 3/18/2009 12:24:11 PM
|
|
|
dillerk
Posts: 5
Joined: 2/24/2009
Status: offline
|
If access to the site, for the most part, is by login only, do you think the risk is great? What kinds of vulnerabilities would it have? I'm trying to launch a web service for my users that they will pay to use, so i dont want any comprimises that i cant help.
I use ezcrypto in a intranet digital filing application and it works great, i'm disappointed that it doesnt work the same in this scenario.
What are your suggestions?
feel free to email me if you feel any further posts on this forum are not beneficial to anyone else who may read it.
may contact me at dillerk@embarqmail.com or admin@digigreek.net
Thanks a lot.
|
|
|
|
|
RE: Encrypting string for querystring - 3/19/2009 7:25:14 AM
|
|
|
Maxx
Posts: 287
Joined: 3/22/2004
Status: offline
|
It's difficult to say if there is any issue at all. We use a Strong Naming on all of our components, which just means we sign them. This prevents the .DLL code from executing if the code has been modified after it was compiled.
The downside to this is your app. needs to have a higher level of security to run the .DLL which is know as full trust. In a partial trust situation, the component relaxes some of the security which basically means any rogue application can attach itself to the component (DLL) and run the code.
The reason ezCrypto should run in a full trust environment is it provides direction file access. We encrypt and decrypt directly to the harddrive without your application providing a stream. On a webserver depending on how access is setup this feature may not work anyway, since the website may not have the rights to store a file on the harddrive in the first place.
I believe you're just using the app. to encrypt strings for URL's. In this case a partial trust should be fine.
Let me know if you'd like a modified version that should work in your situation, we can send it to one of the emails you listed.
_____________________________
Director of CDI Support
|
|
|
|
|
RE: Encrypting string for querystring - 3/20/2009 12:29:44 AM
|
|
|
dillerk
Posts: 5
Joined: 2/24/2009
Status: offline
|
Yes please send me an updated version of the DLL. I think it would be beneficial to be able to at least encrypt url strings and maybe some user information before storing it in a database. Once things move along and i relocate to either a dedicated server or my own server where i have more rights, i'll change back to the orginal DLL to use in fulltrust. Thanks for your help.
You can send the file to either dillerk@embarqmail.com or admin@digigreek.net, either will reach me.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts
|
|
|
Printable Version
